Theory:

FSW must be configured every time you create Database Availability Group for Exchange 2010 and Exchange 2013 (if you do not specify, Exchange will configure FSW on first CAS server without mailbox role installed). Besides the other parameters you should specify the WitnessServer and WitnessDirectory parameters

FSW is used to maintain quorum (node majority for DAG application) when even number of nodes in the DAG

FSW is only actively used, when there is even number of servers in the DAG. One case is that you have configured even number of servers by design or you have conffigured odd number of servers by design and one of those is broken. Otherwise Witness directory on Witness server is empty

Alternate FSW must be also configured, if you enable Datacentre Activation Coordination

I have been upgrading my RTM Exchange 2013 to CU1. I have 2 multirole servers in DAG. I have started to install CU1 on the node hosting only passive copies of databases. In step 1 of 18. Organization preparation from GUI setup it generated error as it can be seen in the following Picture.

Recommended workaround from Microsoft is to delete the following object from AD configuration partition using AdsiEdit

I am using certificate from Startcom certification authority (however this happened to me also vith GeoTrust), because it is free, so I have passed the request to web browser and generated new certificate, downloaded it and tried to import the certificate to Exchange environment.

First import went OK, but I havent seen pending certificate request to be completed

Second try of import generated an error:

I have checked local certificate store for the computer account and the certificate was there, but didn´t have private key attached to it.

Solution:

Solution is simple. Run the command bellow, where red text is the serial number of your certificate

certutil -repairstore my "SerialNumber"

After running the command certificate with serial number “SerialNumber” will be connected to its private key and pending certificate request will be completed, and you can continue as usual.

All errors related to OABGen should be written to the event log. After that you can use cmdlets below, it will find/count all OAB errors ($OABerrors) and take out names of skipped users ($OABerrorsUser).

Variable $OABerrorsUser could be used for another loop based on your needs of repairs.

Event ID: 9325 basically occurs because the recipient’s primary SMTP address (PrimarySmtpAddress) was changed without updating the Mail attribute (WindowsEmailAddress). If the Mail attribute does not match the primary SMTP address, the recipient will be dropped when the offline address book is generated. Description how to solve this issue is shown here: Using Powershell to Correct 9325 Events in Exchange 2007

The event could occur also for mail-disabled users if ShowInAddressBook attribute is not clear <not set>. All mail-enabled objects have this attribute always filled in (including users, contacts, groups, public-folders). The attribute can be erased via ADSI Edit or Active Directory Module for Windows PowerShell.

---------------------------
Microsoft Outlook
---------------------------
There is a problem with the proxy server's security certificate.
The name on the security certificate is invalid or does not match the name of the target site.
Outlook is unable to connect to the proxy server. (Error Code 10)
---------------------------
OK
---------------------------

Definitely it is related to Outlook Anywhere and client (Outlook 2013) which wraps remote procedure calls (RPCs) with an HTTP layer. By default this feature is enabled and all outlook connectivity takes place over it based on valid SSL certificate on CAS server(s). Mailbox servers only require the default self-signed SSL certificate. According to screen shot above is either needed to have value “s04.testexch.local” in the certificate on CASs, switch off requiredSSL or change the value regarding to your needs (e.g. you have certificate with different value).

ExternalClientAuthenticationMethod (Negotiate authentication: Enabled by default in Exchange 2013. This is a combination of Windows integrated authentication and Kerberos authentication. If we employ negotiate authentication, exchange will authenticate the client using NTLM authentication type and if unable to verify authenticity, will challenge the client to authenticate using a username and password.)

SSLOffloadingNote: The SSLOffloading parameter specifies whether the Client Access server requires SSL. This value should be set only to $true when an SSL hardware solution is running in front of the Client Access server.

In my case I used a cert issued by internal CA with two subject alternative names mail.testexch.local and autodiscove.testexch.local. So it was needed to rewrite the attribute InternalHostname on each CAS server only.

CAS server in Exchange 2013 is only going to proxy the traffic and not render the mailbox data. Besides the advantage of having only Level 4 Load balancing solution (hell you could just use Round Robin), the new architecture will reduce the amount of namespaces you are going to need if you are deploying Exchange (source: EHLO: I am Exchange 2013–CAS Role).